Ping a Specific Port

Question

yar

Asked: 2013-11-26 09:05:33 +0800 CST2013-11-26 09:05:33 +0800 CST 2013-11-26 09:05:33 +0800 CST

Does Postfix need a TLS cert for every destination domain?

772

When Postfix is the destination for multiple domains, does it need a TLS cert for every one of them, or just for the domain in $myhostname?

That is to say, are there smtp clients out there who will check certs against the MX they used to look us up, or are they all smart enough to wait for 220 response and/or do reverse DNS, and check against that?

Is it even possible to receive the 220 without checking the certificate first?

But otherwise, is it even possible for Postfix to know what cert the client wants?

EDIT: Even if they do reverse DNS, if clients are willing to accept MX addresses that resolve to arbitrary domains, isn't that trivial to MITM? Or is the solution to never use a vanity MX if I want TLS?

1 Answers

Voted

MadHatter · Answer 1 · 2013-11-26T09:19:51+08:00

MadHatter

2013-11-26T09:19:51+08:002013-11-26T09:19:51+08:00

For my money, the way to do this is to avoid vanity MX. It's close to meaningless, anyway - how many actual people ever get to see your MX record? Vanity domains are fine, but TLS will be simpler if you have the MX record in all cases be the CN embedded in the certificate.

1

Does Postfix need a TLS cert for every destination domain?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?